888 lines
No EOL
38 KiB
JSON
888 lines
No EOL
38 KiB
JSON
{
|
|
"type": "bundle",
|
|
"id": "bundle--58ed2c42-04f0-44b7-baa4-9f1f02de0b81",
|
|
"objects": [
|
|
{
|
|
"type": "identity",
|
|
"spec_version": "2.1",
|
|
"id": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-11T19:31:01.000Z",
|
|
"modified": "2017-04-11T19:31:01.000Z",
|
|
"name": "CIRCL",
|
|
"identity_class": "organization"
|
|
},
|
|
{
|
|
"type": "report",
|
|
"spec_version": "2.1",
|
|
"id": "report--58ed2c42-04f0-44b7-baa4-9f1f02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-11T19:31:01.000Z",
|
|
"modified": "2017-04-11T19:31:01.000Z",
|
|
"name": "OSINT - CVE-2017-0199: In the Wild Attacks Leveraging HTA Handler",
|
|
"published": "2017-04-11T19:37:35Z",
|
|
"object_refs": [
|
|
"x-misp-attribute--58ed2c51-35cc-45dc-9afe-4c0102de0b81",
|
|
"observed-data--58ed2c6d-d4b0-4a1d-b1f2-9f1f02de0b81",
|
|
"url--58ed2c6d-d4b0-4a1d-b1f2-9f1f02de0b81",
|
|
"indicator--58ed2caa-a484-459e-ab44-446802de0b81",
|
|
"indicator--58ed2cab-1eec-4d47-8efe-455502de0b81",
|
|
"indicator--58ed2cac-fc8c-49d8-a0e3-47f302de0b81",
|
|
"indicator--58ed2cad-febc-4229-b7bd-430f02de0b81",
|
|
"vulnerability--58ed2cbc-9e64-4851-9097-475802de0b81",
|
|
"indicator--58ed2d51-5fec-442b-a196-41dd02de0b81",
|
|
"indicator--58ed2d52-d5d0-4238-ad25-496502de0b81",
|
|
"indicator--58ed2d53-d174-406f-9e97-438e02de0b81",
|
|
"indicator--58ed2d54-b650-421e-a53e-435c02de0b81",
|
|
"indicator--58ed2d55-aaa0-4f29-86dd-494402de0b81",
|
|
"indicator--58ed2d56-1cfc-43ee-af58-4f2602de0b81",
|
|
"indicator--58ed2d57-db7c-4112-bec8-4f4602de0b81",
|
|
"indicator--58ed2da6-63f4-4aed-8cd0-41e802de0b81",
|
|
"indicator--58ed2dbf-5660-4fd9-a6ba-4bc502de0b81",
|
|
"indicator--58ed2de5-2bd0-4a4d-959c-45df02de0b81",
|
|
"indicator--58ed2e50-6ad8-4998-9917-4d0402de0b81",
|
|
"indicator--58ed2e69-fcc8-4231-96c5-4dc602de0b81",
|
|
"indicator--58ed2ea1-de84-4fd8-83e4-427602de0b81",
|
|
"indicator--58ed2ea2-1270-450c-b73a-498a02de0b81",
|
|
"observed-data--58ed2ea3-9304-4143-ba8c-478902de0b81",
|
|
"url--58ed2ea3-9304-4143-ba8c-478902de0b81",
|
|
"indicator--58ed2ea4-f158-4709-9f95-497702de0b81",
|
|
"indicator--58ed2ea5-cb4c-4612-8f43-436702de0b81",
|
|
"observed-data--58ed2ea7-ad1c-40b8-b755-485a02de0b81",
|
|
"url--58ed2ea7-ad1c-40b8-b755-485a02de0b81",
|
|
"indicator--58ed2ea8-aaec-4ba9-a2e0-4cdd02de0b81",
|
|
"indicator--58ed2ea9-d300-445f-a127-4bed02de0b81",
|
|
"observed-data--58ed2eaa-7fa4-4ab8-a120-45bd02de0b81",
|
|
"url--58ed2eaa-7fa4-4ab8-a120-45bd02de0b81",
|
|
"indicator--58ed2eab-5f60-4ec0-ad19-4c4702de0b81",
|
|
"indicator--58ed2eac-4b60-492d-82b1-45be02de0b81",
|
|
"observed-data--58ed2eae-944c-443c-a126-421302de0b81",
|
|
"url--58ed2eae-944c-443c-a126-421302de0b81",
|
|
"indicator--58ed2eae-b31c-4009-ac2d-4be002de0b81",
|
|
"indicator--58ed2eaf-af18-47b9-8151-44ea02de0b81",
|
|
"observed-data--58ed2eb0-2948-4c1f-9107-4f8002de0b81",
|
|
"url--58ed2eb0-2948-4c1f-9107-4f8002de0b81"
|
|
],
|
|
"labels": [
|
|
"Threat-Report",
|
|
"misp:tool=\"MISP-STIX-Converter\"",
|
|
"osint:source-type=\"blog-post\""
|
|
],
|
|
"object_marking_refs": [
|
|
"marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9"
|
|
]
|
|
},
|
|
{
|
|
"type": "x-misp-attribute",
|
|
"spec_version": "2.1",
|
|
"id": "x-misp-attribute--58ed2c51-35cc-45dc-9afe-4c0102de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-11T19:30:40.000Z",
|
|
"modified": "2017-04-11T19:30:40.000Z",
|
|
"labels": [
|
|
"misp:type=\"text\"",
|
|
"misp:category=\"External analysis\"",
|
|
"osint:source-type=\"blog-post\""
|
|
],
|
|
"x_misp_category": "External analysis",
|
|
"x_misp_type": "text",
|
|
"x_misp_value": "FireEye recently detected malicious Microsoft Office RTF documents that leverage CVE-2017-0199, a previously undisclosed vulnerability. This vulnerability allows a malicious actor to download and execute a Visual Basic script containing PowerShell commands when a user opens a document containing an embedded exploit. FireEye has observed Office documents exploiting CVE-2017-0199 that download and execute malware payloads from different well-known malware families.\r\n\r\nFireEye shared the details of the vulnerability with Microsoft and has been coordinating public disclosure timed with the release of a patch by Microsoft to address the vulnerability, which can be found here.\r\n\r\nThe vulnerability bypassed most mitigations prior to patch availability; however, FireEye email and network products detected the malicious documents. FireEye recommends that Microsoft Office users apply the patch from Microsoft."
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--58ed2c6d-d4b0-4a1d-b1f2-9f1f02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-11T19:30:39.000Z",
|
|
"modified": "2017-04-11T19:30:39.000Z",
|
|
"first_observed": "2017-04-11T19:30:39Z",
|
|
"last_observed": "2017-04-11T19:30:39Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--58ed2c6d-d4b0-4a1d-b1f2-9f1f02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\"",
|
|
"osint:source-type=\"blog-post\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--58ed2c6d-d4b0-4a1d-b1f2-9f1f02de0b81",
|
|
"value": "https://www.fireeye.com/blog/threat-research/2017/04/cve-2017-0199-hta-handler.html"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58ed2caa-a484-459e-ab44-446802de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-11T19:29:18.000Z",
|
|
"modified": "2017-04-11T19:29:18.000Z",
|
|
"description": "\u00d0\u00a1\u00d0\u0178\u00d0\u00a3\u00d0\u00a2\u00d0\u009d\u00d0\u02dc\u00d0\u0161 \u00d0\u00a0\u00d0\u0090\u00d0\u2014\u00d0\u2019\u00d0\u2022\u00d0\u201d\u00d0\u00a7\u00d0\u02dc\u00d0\u0161\u00d0\u0090.doc",
|
|
"pattern": "[file:hashes.MD5 = 'c10dabb05a38edd8a9a0ddda1c9af10e']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-11T19:29:18Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58ed2cab-1eec-4d47-8efe-455502de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-11T19:29:18.000Z",
|
|
"modified": "2017-04-11T19:29:18.000Z",
|
|
"description": "template.doc",
|
|
"pattern": "[file:hashes.MD5 = '9dec125f006f787a3f8ad464d480eed1']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-11T19:29:18Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58ed2cac-fc8c-49d8-a0e3-47f302de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-11T19:29:18.000Z",
|
|
"modified": "2017-04-11T19:29:18.000Z",
|
|
"description": "copy.jpg/winword.exe",
|
|
"pattern": "[file:hashes.MD5 = 'acde6fb59ed431000107c8e8ca1b7266']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-11T19:29:18Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58ed2cad-febc-4229-b7bd-430f02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-11T19:29:18.000Z",
|
|
"modified": "2017-04-11T19:29:18.000Z",
|
|
"description": "docu.doc/document.doc",
|
|
"pattern": "[file:hashes.MD5 = 'e01982913fbc22188b83f5f9fadc1c17']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-11T19:29:18Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "vulnerability",
|
|
"spec_version": "2.1",
|
|
"id": "vulnerability--58ed2cbc-9e64-4851-9097-475802de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-11T19:29:18.000Z",
|
|
"modified": "2017-04-11T19:29:18.000Z",
|
|
"name": "CVE-2017-0199",
|
|
"labels": [
|
|
"misp:type=\"vulnerability\"",
|
|
"misp:category=\"Payload delivery\""
|
|
],
|
|
"external_references": [
|
|
{
|
|
"source_name": "cve",
|
|
"external_id": "CVE-2017-0199"
|
|
}
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58ed2d51-5fec-442b-a196-41dd02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-11T19:29:18.000Z",
|
|
"modified": "2017-04-11T19:29:18.000Z",
|
|
"description": "hire_form.doc Malicious document",
|
|
"pattern": "[file:hashes.MD5 = '5ebfd13250dd0408e3de594e419f9e01']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-11T19:29:18Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58ed2d52-d5d0-4238-ad25-496502de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-11T19:29:18.000Z",
|
|
"modified": "2017-04-11T19:29:18.000Z",
|
|
"description": "template.doc/template[?].hta Malicious HTA file",
|
|
"pattern": "[file:hashes.MD5 = 'fb475f0d8c8e9bf1bc360211179d8a28']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-11T19:29:18Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58ed2d53-d174-406f-9e97-438e02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-11T19:29:18.000Z",
|
|
"modified": "2017-04-11T19:29:18.000Z",
|
|
"description": "ww.vbs/maintenance.vbs Stage two VBScript",
|
|
"pattern": "[file:hashes.MD5 = '984658e34e634d56423797858a711846']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-11T19:29:18Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58ed2d54-b650-421e-a53e-435c02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-11T19:29:18.000Z",
|
|
"modified": "2017-04-11T19:29:18.000Z",
|
|
"description": "questions.doc/document.doc Decoy document",
|
|
"pattern": "[file:hashes.MD5 = '73bf8647920eacc7cc377b3602a7ee7a']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-11T19:29:18Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58ed2d55-aaa0-4f29-86dd-494402de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-11T19:29:18.000Z",
|
|
"modified": "2017-04-11T19:29:18.000Z",
|
|
"description": "eoobvfwiglhiliqougukgm.js Malicious script",
|
|
"pattern": "[file:hashes.MD5 = '11fb87888bbb4dcea4891ab856ac1c52']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-11T19:29:18Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58ed2d56-1cfc-43ee-af58-4f2602de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-11T19:29:18.000Z",
|
|
"modified": "2017-04-11T19:29:18.000Z",
|
|
"description": "wood.exe/ dcihprianeeyirdeuceulx.exe Final payload",
|
|
"pattern": "[file:hashes.MD5 = 'a1faa23a3ef8cef372f5f74aed82d2de']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-11T19:29:18Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58ed2d57-db7c-4112-bec8-4f4602de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-11T19:29:18.000Z",
|
|
"modified": "2017-04-11T19:29:18.000Z",
|
|
"description": "wood.exe/ dcihprianeeyirdeuceulx.exe Updated final payload",
|
|
"pattern": "[file:hashes.MD5 = '15e51cdbd938545c9af47806984b1667']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-11T19:29:18Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"md5\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58ed2da6-63f4-4aed-8cd0-41e802de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-11T19:29:18.000Z",
|
|
"modified": "2017-04-11T19:29:18.000Z",
|
|
"pattern": "[url:value = 'http://www.modani.com/media/wysiwyg/ww.vbs']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-11T19:29:18Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58ed2dbf-5660-4fd9-a6ba-4bc502de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-11T19:29:18.000Z",
|
|
"modified": "2017-04-11T19:29:18.000Z",
|
|
"pattern": "[url:value = 'http://www.modani.com/media/wysiwyg/wood.exe']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-11T19:29:18Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58ed2de5-2bd0-4a4d-959c-45df02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-11T19:29:18.000Z",
|
|
"modified": "2017-04-11T19:29:18.000Z",
|
|
"description": "variant then connects to the following command and control (C2) server",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '217.12.203.90']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-11T19:29:18Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58ed2e50-6ad8-4998-9917-4d0402de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-11T19:29:18.000Z",
|
|
"modified": "2017-04-11T19:29:18.000Z",
|
|
"description": "The initial stage reached out to the following URL to download the stage one malicious HTA file:",
|
|
"pattern": "[url:value = 'http://95.141.38.110/mo/dnr/tmp/template.doc']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-11T19:29:18Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"url\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58ed2e69-fcc8-4231-96c5-4dc602de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-11T19:29:18.000Z",
|
|
"modified": "2017-04-11T19:29:18.000Z",
|
|
"description": "Malicious HTA",
|
|
"pattern": "[network-traffic:dst_ref.type = 'ipv4-addr' AND network-traffic:dst_ref.value = '95.141.38.110']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-11T19:29:18Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Network activity"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"ip-dst\"",
|
|
"misp:category=\"Network activity\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58ed2ea1-de84-4fd8-83e4-427602de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-11T19:29:37.000Z",
|
|
"modified": "2017-04-11T19:29:37.000Z",
|
|
"description": "wood.exe/ dcihprianeeyirdeuceulx.exe Updated final payload - Xchecked via VT: 15e51cdbd938545c9af47806984b1667",
|
|
"pattern": "[file:hashes.SHA256 = '169c9cc7120fa64c7c02cbbf3aeeefd02fef32ca5dcc61093d1ea012e4f39a18']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-11T19:29:37Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58ed2ea2-1270-450c-b73a-498a02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-11T19:29:38.000Z",
|
|
"modified": "2017-04-11T19:29:38.000Z",
|
|
"description": "wood.exe/ dcihprianeeyirdeuceulx.exe Updated final payload - Xchecked via VT: 15e51cdbd938545c9af47806984b1667",
|
|
"pattern": "[file:hashes.SHA1 = 'ea434604b3de06110de582a9c003c2b60368b33e']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-11T19:29:38Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--58ed2ea3-9304-4143-ba8c-478902de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-11T19:29:39.000Z",
|
|
"modified": "2017-04-11T19:29:39.000Z",
|
|
"first_observed": "2017-04-11T19:29:39Z",
|
|
"last_observed": "2017-04-11T19:29:39Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--58ed2ea3-9304-4143-ba8c-478902de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--58ed2ea3-9304-4143-ba8c-478902de0b81",
|
|
"value": "https://www.virustotal.com/file/169c9cc7120fa64c7c02cbbf3aeeefd02fef32ca5dcc61093d1ea012e4f39a18/analysis/1491819886/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58ed2ea4-f158-4709-9f95-497702de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-11T19:29:40.000Z",
|
|
"modified": "2017-04-11T19:29:40.000Z",
|
|
"description": "template.doc/template[?].hta Malicious HTA file - Xchecked via VT: fb475f0d8c8e9bf1bc360211179d8a28",
|
|
"pattern": "[file:hashes.SHA256 = '3e72bfa3ca0880226cacdbac28299d2a0bacde556ad3400d76be8f1666940828']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-11T19:29:40Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58ed2ea5-cb4c-4612-8f43-436702de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-11T19:29:41.000Z",
|
|
"modified": "2017-04-11T19:29:41.000Z",
|
|
"description": "template.doc/template[?].hta Malicious HTA file - Xchecked via VT: fb475f0d8c8e9bf1bc360211179d8a28",
|
|
"pattern": "[file:hashes.SHA1 = '3bb5af725d63a18a306506b3ebd12aed820e00eb']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-11T19:29:41Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--58ed2ea7-ad1c-40b8-b755-485a02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-11T19:29:43.000Z",
|
|
"modified": "2017-04-11T19:29:43.000Z",
|
|
"first_observed": "2017-04-11T19:29:43Z",
|
|
"last_observed": "2017-04-11T19:29:43Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--58ed2ea7-ad1c-40b8-b755-485a02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--58ed2ea7-ad1c-40b8-b755-485a02de0b81",
|
|
"value": "https://www.virustotal.com/file/3e72bfa3ca0880226cacdbac28299d2a0bacde556ad3400d76be8f1666940828/analysis/1491935832/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58ed2ea8-aaec-4ba9-a2e0-4cdd02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-11T19:29:44.000Z",
|
|
"modified": "2017-04-11T19:29:44.000Z",
|
|
"description": "hire_form.doc Malicious document - Xchecked via VT: 5ebfd13250dd0408e3de594e419f9e01",
|
|
"pattern": "[file:hashes.SHA256 = '13d0d0b67c8e881e858ae8cbece32ee464775b33a9ffcec6bff4dd3085dbb575']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-11T19:29:44Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58ed2ea9-d300-445f-a127-4bed02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-11T19:29:45.000Z",
|
|
"modified": "2017-04-11T19:29:45.000Z",
|
|
"description": "hire_form.doc Malicious document - Xchecked via VT: 5ebfd13250dd0408e3de594e419f9e01",
|
|
"pattern": "[file:hashes.SHA1 = '0f3b135fd9eb3c6befbeb69f418ac182aeb56557']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-11T19:29:45Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--58ed2eaa-7fa4-4ab8-a120-45bd02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-11T19:29:46.000Z",
|
|
"modified": "2017-04-11T19:29:46.000Z",
|
|
"first_observed": "2017-04-11T19:29:46Z",
|
|
"last_observed": "2017-04-11T19:29:46Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--58ed2eaa-7fa4-4ab8-a120-45bd02de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--58ed2eaa-7fa4-4ab8-a120-45bd02de0b81",
|
|
"value": "https://www.virustotal.com/file/13d0d0b67c8e881e858ae8cbece32ee464775b33a9ffcec6bff4dd3085dbb575/analysis/1491931544/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58ed2eab-5f60-4ec0-ad19-4c4702de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-11T19:29:47.000Z",
|
|
"modified": "2017-04-11T19:29:47.000Z",
|
|
"description": "docu.doc/document.doc - Xchecked via VT: e01982913fbc22188b83f5f9fadc1c17",
|
|
"pattern": "[file:hashes.SHA256 = '01220917060a94315eeeb04e1ee1263c024e54e66058cb1f910dec3a48fef42a']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-11T19:29:47Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58ed2eac-4b60-492d-82b1-45be02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-11T19:29:48.000Z",
|
|
"modified": "2017-04-11T19:29:48.000Z",
|
|
"description": "docu.doc/document.doc - Xchecked via VT: e01982913fbc22188b83f5f9fadc1c17",
|
|
"pattern": "[file:hashes.SHA1 = 'fa504cb04ea83ecf1d360062fe612aba5e678f68']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-11T19:29:48Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--58ed2eae-944c-443c-a126-421302de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-11T19:29:50.000Z",
|
|
"modified": "2017-04-11T19:29:50.000Z",
|
|
"first_observed": "2017-04-11T19:29:50Z",
|
|
"last_observed": "2017-04-11T19:29:50Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--58ed2eae-944c-443c-a126-421302de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--58ed2eae-944c-443c-a126-421302de0b81",
|
|
"value": "https://www.virustotal.com/file/01220917060a94315eeeb04e1ee1263c024e54e66058cb1f910dec3a48fef42a/analysis/1491867682/"
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58ed2eae-b31c-4009-ac2d-4be002de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-11T19:29:50.000Z",
|
|
"modified": "2017-04-11T19:29:50.000Z",
|
|
"description": "\u00d0\u00a1\u00d0\u0178\u00d0\u00a3\u00d0\u00a2\u00d0\u009d\u00d0\u02dc\u00d0\u0161 \u00d0\u00a0\u00d0\u0090\u00d0\u2014\u00d0\u2019\u00d0\u2022\u00d0\u201d\u00d0\u00a7\u00d0\u02dc\u00d0\u0161\u00d0\u0090.doc - Xchecked via VT: c10dabb05a38edd8a9a0ddda1c9af10e",
|
|
"pattern": "[file:hashes.SHA256 = 'f4a0f65e9161a266b557e3850e3d17f08b2843ee560f8a89ecf7059eba104e66']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-11T19:29:50Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha256\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "indicator",
|
|
"spec_version": "2.1",
|
|
"id": "indicator--58ed2eaf-af18-47b9-8151-44ea02de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-11T19:29:51.000Z",
|
|
"modified": "2017-04-11T19:29:51.000Z",
|
|
"description": "\u00d0\u00a1\u00d0\u0178\u00d0\u00a3\u00d0\u00a2\u00d0\u009d\u00d0\u02dc\u00d0\u0161 \u00d0\u00a0\u00d0\u0090\u00d0\u2014\u00d0\u2019\u00d0\u2022\u00d0\u201d\u00d0\u00a7\u00d0\u02dc\u00d0\u0161\u00d0\u0090.doc - Xchecked via VT: c10dabb05a38edd8a9a0ddda1c9af10e",
|
|
"pattern": "[file:hashes.SHA1 = '9aed05edab5d0200eb509ed22c8c30f19652814c']",
|
|
"pattern_type": "stix",
|
|
"pattern_version": "2.1",
|
|
"valid_from": "2017-04-11T19:29:51Z",
|
|
"kill_chain_phases": [
|
|
{
|
|
"kill_chain_name": "misp-category",
|
|
"phase_name": "Payload delivery"
|
|
}
|
|
],
|
|
"labels": [
|
|
"misp:type=\"sha1\"",
|
|
"misp:category=\"Payload delivery\"",
|
|
"misp:to_ids=\"True\""
|
|
]
|
|
},
|
|
{
|
|
"type": "observed-data",
|
|
"spec_version": "2.1",
|
|
"id": "observed-data--58ed2eb0-2948-4c1f-9107-4f8002de0b81",
|
|
"created_by_ref": "identity--55f6ea5e-2c60-40e5-964f-47a8950d210f",
|
|
"created": "2017-04-11T19:29:52.000Z",
|
|
"modified": "2017-04-11T19:29:52.000Z",
|
|
"first_observed": "2017-04-11T19:29:52Z",
|
|
"last_observed": "2017-04-11T19:29:52Z",
|
|
"number_observed": 1,
|
|
"object_refs": [
|
|
"url--58ed2eb0-2948-4c1f-9107-4f8002de0b81"
|
|
],
|
|
"labels": [
|
|
"misp:type=\"link\"",
|
|
"misp:category=\"External analysis\""
|
|
]
|
|
},
|
|
{
|
|
"type": "url",
|
|
"spec_version": "2.1",
|
|
"id": "url--58ed2eb0-2948-4c1f-9107-4f8002de0b81",
|
|
"value": "https://www.virustotal.com/file/f4a0f65e9161a266b557e3850e3d17f08b2843ee560f8a89ecf7059eba104e66/analysis/1491801507/"
|
|
},
|
|
{
|
|
"type": "marking-definition",
|
|
"spec_version": "2.1",
|
|
"id": "marking-definition--613f2e26-407d-48c7-9eca-b8e91df99dc9",
|
|
"created": "2017-01-20T00:00:00.000Z",
|
|
"definition_type": "tlp",
|
|
"name": "TLP:WHITE",
|
|
"definition": {
|
|
"tlp": "white"
|
|
}
|
|
}
|
|
]
|
|
} |